If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Security pros warn of critical flaws in Kerberos

Vulnerabilities in a technology widely used for network authentication have left computers running Unix, Linux and Apple Computer's Mac OS X potentially open to attack.
The flaws could allow an online intruder to gain access to computers running a security feature known as Kerberos. The vulnerabilities, found by the developers at the Kerberos Team at the Massachusetts Institute of Technology, should be patched as soon as possible, Sam Hartman, engineering lead for the team, said Wednesday.

"I would not expect this to lead to a worm," Hartman said. "Most sites will patch it because patching is easy to do. Whereas, if you do have a compromise, it is a lot of work to recover."

Kerberos is the keystone to security for many networks. The software essentially acts as a gatekeeper, identifying the people who are allowed to access computers in the network and those who are not. That makes the software flaws particularly pernicious.

The flaws, known as double-free vulnerabilities, are caused because a part of the program attempts to free up the same computer memory space twice. Such errors are not as easy to take advantage of as another, more common memory error--the buffer overflow. That gives administrators a little breathing room, Hartman said.

"We have no reason to believe that anyone has produced an exploit program," he said. "Moreover, this is not something where we have seen an attack in the wild."

Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said.

However, Sun Microsystems' Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Red Hat, have announced patches for the problem, but not all have.

Even if a worm may not be created to exploit the flaws, administrators need to patch the issue as soon as possible, said Alfred Huger, senior director for security at network protection firm Symantec. "We see a lot of it in customer environments," he said. "It is very common."

Busy company IT managers frequently will not place high priority on vulnerabilities that have not been exploited by hackers. Yet, Huger stressed that thinking that way is asking for trouble.

"A worm likely won't be created using this flaw, but that means that it may stay unpatched, and that is really dangerous, especially with something that serves up your authentication," he said.

The publication of the advisory went much smoother than a year ago, when another flaw in Kerberos was found. That information was leaked out early by an unknown person who claimed to have access to the network.

Administrators should check their operating system vendor's Web site for more information on the recent flaws.

The flaw only affects MIT's implementation of Kerberos (more precisely the KDC daemon). Another common implementation of kerberos is Heimdal (used on OpenBSD for example) and is not vulnerable, just like MS's isn't.

This leads to my point which is that, unlike recent annoucned "crypto/protocol"vulnerabilities that have been made public recently (refering to MD5 and SHA), this is not a flaw in the Kerberos protocol itself but a coding error in MIT's implementation. I just felt the need to point this out as I feel the title of this thread can be a bit misleading...